This is fantastic. I was also surprised to find the other TA only pulling Audit logs (missing sender and message_id)--so thank you for sharing this app. Does anyone know how well the "Microsoft Office 365 Reporting Add-on for Splunk" scales? For example, what is the max number of emails per day they have seen pulled in? Or the size of the o365 instance (number of users)? Thanks again ... View more

I downvoted this post because a link to documentation does not answer the question. including an example would be more helpful. ... View more

Here is how to do this in Windows: NOTE: sslRootCAPath is ignored in Windows. Instead use: caCertFile (Thank you Splunk support....) Create the certs: mkdir c:\progra~1\Splunk\etc\certs C:\progra~1\Splunk\bin\splunk.exe cmd cmd.exe /c c:\progra~1\Splunk\bin\genRootCA.bat -d c:\progra~1\Splunk\etc\certs C:\progra~1\Splunk\bin\splunk.exe cmd python c:\progra~1\Splunk\bin\genSignedServerCert.py -d c:\progra~1\Splunk\etc\certs -n splunk -c splunk -p Add the following to: c:\Program Files\Splunk\etc\system\local\server.conf [sslConfig] caCertFile = c:\progra~1\Splunk\etc\certs\cacert.pem Add the following to: c:\Program Files\Splunk\etc\apps\your_app_here\local\inputs.conf [tcp-ssl://6514] disabled = false sourcetype = <optional> index = <optional> source = <optional> [SSL] sslPassword = <The password that was used in the genSignedServerCert> requireClientCert = false serverCert = c:\progra~1\Splunk\etc\certs\splunk.pem Restart Splunk: c:\progra~1\Splunk\bin\splunk.exe restart Now verify the port is open using: netstat -an | findstr :6514 ... View more

Similar to justinbarta, this is what worked for me: 0) Make a note of the settings that are currently working from the TA setup page (I copy and pasted it into Word) 1) Delete or move to a temp directory, the config files in: $SPLUNK_HOME$/etc/apps/TA-QualysCloudPlatform/local (app.conf and qualys.conf) 2) Restart Splunk 3) Enter information in TA setup page again with new credentials Re-installation of the TA was not needed. ... View more

Thanks for the post sir. Just an FYI, your hyperlink to github includes your close parenthesis and period. For example: https://gist.github.com/sworisbreathing/d236895568eaf31da579%29. The fix is to remove '%29.' Thanks again ... View more

Is it possible to do this in a scheduled report? ... View more

Agreed. A solution for a report would be ideal. ... View more

Wow... what should be a simple feat is really a moving target. It appears the process has been changed again in Splunk 6.5.0+ Here is what you need to do now: Generate certs: mkdir /opt/splunk/etc/certs export OPENSSL_CONF=/opt/splunk/openssl/openssl.cnf /opt/splunk/bin/genRootCA.sh -d /opt/splunk/etc/certs /opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n splunk -c splunk -p $SPLUNK_HOME/etc/apps//local/inputs.conf: [tcp-ssl://6514] disabled = false sourcetype = <optional> index = <optional> source = <optional> [SSL] serverCert = /opt/splunk/etc/certs/splunk.pem sslPassword = <The password that was used in the genSignedServerCert> requireClientCert = false $SPLUNK_HOME/etc/system/local/server.conf: [sslConfig] sslRootCAPath = /opt/splunk/etc/certs/cacert.pem Restart Splunk: $SPLUNK_HOME/bin/splunk restart splunkd Verify the port is open: netstat -an | grep :6514 ... View more

Note: Splunk seems to have deprecated the password parameter. It is now: sslPassword. Also note: You may need to replace $SPLUNK_HOME with /opt/splunk or whatever your path may be... Pro-tips: - Check the port status with netstat -an | grep :6514 (following our above example) - You may also want to use this command for troubleshooting: /opt/splunk/bin/splunk btool check --debug - If you are still having issues with the port opening, try to retype the sslPassword and save the file. If you mistype the password, this will not work. ... View more

Any traction on the Enhancement Request? Just curious. Thanks. ... View more

Were you able to discover a graceful solution? I am also having this issue. Quite frustrating that it does not default to the FQDN. Thanks. ... View more

This is quite the popular topic. Sounds like a feature request to me... ... View more

Any more details on this? I tried the following which did not work: cd $SPLUNK_HOME/var/lib/splunk/ tar -zcvf mydatabase.tgz mydatabase I then copied the .tgz to another splunk instance and untar'd it in the same location. Restarted Splunk and Splunk restarts with the Index disabled. Any ideas? ... View more

Are you using Splunk Universal forwarder to send the data there? If so, it would be nice if the Splunk UF had a way to change the host variable from hostname to fqdn or something similar. If you have the following scenario it will cause issues: host1.red.net host1.blue.net Both hosts show up as host=host1 which is obviously not ideal. In my case the logs do not indicate the IP address or FQDN and thus cannot be parsed from the logs. ... View more

It would be nice if the Splunk UF had a way to change the host variable from hostname to fqdn or something similar. If you have the following scenario it will cause issues: host1.red.net host1.blue.net Both hosts show up as host=host1 which is obviously not ideal. ... View more

Thanks somesoni2: c:\ProgramFiles\SplunkUniversalForwarder\bin\splunk.exe list forward-server -auth username:password Worked for me for supplying creds, however I am not using powershell to call this... instead I am using winexe from Linux. ... View more

Make sure if you copy and paste from the commands.conf file example above, you remove the comment: passauth = true #<- the keys to the castle It should just be: passauth = true Splunk conf files don't always like comments at the end of a line ... View more

I tried your method, but received an error. Any ideas on the following? AttributeError: 'module' object has no attribute 'session' ... View more

I have been able to get the sessionKey by doing this: import splunk.auth as auth sessionKey = auth.getSessionKey('admin','<password for admin>') It may help in your troubleshooting, but if you have to hard code the admin credentials to get access to other credentials, what is the point... This is very frustrating because it seems that the behavior may have changed from Splunk v4 -> Splunk v6. ... View more

I downvoted this post because this did not seem to work for me. i have the following error: attributeerror: 'module' object has no attribute 'session' do you have a move complete answer? ... View more

Just released version 1.1.8 of the Forensic Investigator app. We added proxy support for VT Lookup. You enter the proxy settings via the setup page (Help -> Configure App). It doesn't support authenticated proxies, but let us know if it works otherwise. Authenticated proxy support will be added in the next release. Thanks for your patience. ... View more

You are correct per my previous comment: "Splunk, by default, looks for date/time as the start of events. Thus it is seeing "occurred": "2016-12-16 04:31:05+00", and assuming that it is the start of an event and is automatically truncating. This means that the line breaker is not working properly for some reason." I am trying to replicate the issue now. ... View more

I also dug into why the JSON over syslog isn't working correctly. We tried to make Splunk parse all fields within JSON and XML. In order to do this, we added a feature to strip syslog headers and convert the event into JSON or XML that Splunk would recognize using a transform called "syslog-header-stripper-ts-host-proc", under the syslog stanza. There are two problems with this approach. 1) When the data is sent as fe_json_syslog and not as syslog and then auto converted to fe_json_syslog, the header is not stripped and thus Splunk does not recognize it as JSON data with the syslog header 2) When data is sent in as syslog and the header is stripped, Splunk parses as the data which is great, however when you expand an event it can be more than your browser can handle. For example, an XML or JSON normal event can be 300,000 lines long with over a million parsable fields. When expanded, your browser's memory can spike trying to display all the data and cause the browser to freeze or crash. We are working on a fix to #1 and then a fix to #2. ... View more

Splunk, by default, looks for date/time as the start of events. Thus it is seeing "occurred": "2016-12-16 04:31:05+00", and assuming that it is the start of an event and is automatically truncating. This means that the line breaker is not working properly for some reason. What does Splunk indicate as the sourcetype when viewing the event? ... View more

Thanks for the question. Not sure when we will support HEC, however let's see if we can troubleshoot your current issues. In terms of HTTP RESTful sending. Did you see page 11 and page 30 of the configuration guide found below? https://www.fireeye.com/content/dam/fireeye-www/global/en/partners/pdfs/config-guide-fireeye-app-for-splunk-enterprise.pdf Page 11 provides steps to set it up. Page 30 provides some troubleshooting tricks. If those don't work, feel free to send me an email via the Help -> Send Feedback feature in the app itself and we can troubleshoot some more. ... View more